Encrypted file systems allow applications to store encrypted files in non-volatile storage, such as hard drives. Encrypted file systems are typically implemented as a stack of layers with an encryption layer on top of a mounted file system. eCrtypfs, for example, is a kernel-native stacked cryptographic file system included with many Linux distributions that layers on top of lower level file systems including Linux ext 2/3/4, NFS, CIFS, XFS, ReiserFS, JFS, FAT 32, and can be extended to other file systems. eCrypffs provides a virtual file system seen by applications so that file operations go through eCrypffs. eCryptfs uses keys stored in a kernel layer key ring to encrypt and decrypt files.
Many encrypted file systems were designed on the assumption that they would operate on a single machine and therefore files would be available to all processes on a machine (assuming the user logged in had the appropriate credentials). In a networked environment, such file systems do not provide adequate security for data because any process can access the encrypted files so long as the encrypted file system key ring contains the correct key. This problem becomes more pronounced in a cloud environment. In a cloud, processes running on the same hardware may be controlled by different entities that should not access each other's data. Furthermore, the cloud environment hardware may be administered by a different set of administrators than the virtual environment provided in the cloud. Consequently, it may be undesirable for some process or administrators who have physical access to the servers and credentials to access the operating system to access the encrypted data on the servers.
In addition to the inability to properly protect data from network users and administrators, another problem faced in cloud computing and other networked computer environments is properly managing encryption keys between distributed computers. In particular, it is undesirable to store keys in non-volatile memory on a cloud server, so the keys must be stored at another location and accessed over a network. For public networks, the keys must be kept safe during transmission between the key storage and cloud server. The key management system must ensure it is not distributing keys improperly.